CVE-2025-61917: n8n Info Disclosure leaks sensitive

CISO Take

n8n's task runner leaks process memory to untrusted code nodes — any authenticated user with workflow edit access can read API keys, tokens, and secrets from other concurrent or recent workflow executions. If you run n8n for AI agent orchestration, this is a credential theft risk regardless of the 7.7 score: the Changed scope (S:C) means one low-privilege account can drain secrets from the entire platform. Patch to 1.114.3 immediately and rotate all credentials processed through n8n since version 1.65.0.

What is the risk?

High operational risk for organizations using n8n as an AI agent orchestrator. The CVSS scope change reflects cross-workflow memory boundary impact: an attacker with only low privileges in one workflow context can read residual memory from other workflows. In AI-heavy deployments, n8n routinely processes LLM API keys (OpenAI, Anthropic, Azure AI), database credentials, OAuth tokens, and webhook secrets — all prime targets. No special tooling or AI knowledge required; Buffer.allocUnsafe exploitation is trivial and well-documented in Node.js security literature.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

What should I do?

6 steps

PATCH NOW

upgrade n8n to 1.114.3+ — this is the only full remediation.
If patching is delayed: restrict Code node permissions to admin-only users in n8n settings to limit the attack surface.
ROTATE CREDENTIALS

treat all API keys, OAuth tokens, DB passwords, and webhook secrets processed by n8n workflows since version 1.65.0 as potentially compromised.
Audit access logs for anomalous Code node creation, especially by non-admin users, or unusual outbound HTTP requests from workflow executions.
For hosted/cloud n8n: verify your managed version is updated and contact your vendor if uncertain.
Detection signal: alert on new Code nodes created by low-privilege accounts that allocate large Buffers or make unexpected external HTTP calls.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Privacy Violation Agent Framework API AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0085.001 - AI Agent Tools

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.3 - AI system data governance

NIST AI RMF

GOVERN 1.7 - Processes for AI Risk Management

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-61917?

n8n's task runner leaks process memory to untrusted code nodes — any authenticated user with workflow edit access can read API keys, tokens, and secrets from other concurrent or recent workflow executions. If you run n8n for AI agent orchestration, this is a credential theft risk regardless of the 7.7 score: the Changed scope (S:C) means one low-privilege account can drain secrets from the entire platform. Patch to 1.114.3 immediately and rotate all credentials processed through n8n since version 1.65.0.

Is CVE-2025-61917 actively exploited?

No confirmed active exploitation of CVE-2025-61917 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-61917?

1. PATCH NOW: upgrade n8n to 1.114.3+ — this is the only full remediation. 2. If patching is delayed: restrict Code node permissions to admin-only users in n8n settings to limit the attack surface. 3. ROTATE CREDENTIALS: treat all API keys, OAuth tokens, DB passwords, and webhook secrets processed by n8n workflows since version 1.65.0 as potentially compromised. 4. Audit access logs for anomalous Code node creation, especially by non-admin users, or unusual outbound HTTP requests from workflow executions. 5. For hosted/cloud n8n: verify your managed version is updated and contact your vendor if uncertain. 6. Detection signal: alert on new Code nodes created by low-privilege accounts that allocate large Buffers or make unexpected external HTTP calls.

What systems are affected by CVE-2025-61917?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, model serving, data pipelines, API integration workflows, RAG pipelines.

What is the CVSS score for CVE-2025-61917?

CVE-2025-61917 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.36%.

What is the AI security impact?

Affected AI Architectures

agent frameworksmodel servingdata pipelinesAPI integration workflowsRAG pipelines

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0085.001 AI Agent Tools

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.3

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3.

Exploitation Scenario

An attacker with a standard n8n user account (obtained via phishing a team member or exploiting a shared workspace) creates a new workflow containing a Code node with: const buf = Buffer.allocUnsafe(65536); followed by an HTTP request exfiltrating the raw buffer contents to an attacker-controlled endpoint. By scheduling this workflow to run repeatedly during peak usage hours, the attacker captures memory residue from concurrent executions: OpenAI API keys from LLM orchestration nodes, PostgreSQL connection strings from database query steps, Slack tokens from notification workflows, and Stripe keys from payment automation. Each captured credential enables lateral movement into downstream systems — all from a single low-privilege n8n account with no AI/ML knowledge required.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-668 Exposure of Resource to Wrong Sphere Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.